The Dark Side of IT: Cyber Warfare (pt. 2)
It was a marksman’s job (New York Times, 2011)
Last time I finished my post with telling you about Stuxnet and I think the infographic was quite clear about its capabilities and the treat it poses. However, I want to highlight a few fundamental points here. Never before have we witnessed such a highly specialized and well planned digital attack on an industrial plant. The hardware of a nuclear facility was deliberately sabotaged using software.
So, Stuxnet was a game changer and I’m going to elaborate a little more on why that is. First of all Stuxnet did something completely new (not just one thing I by the way): it targeted industrial systems. To be more precise; it targeted Programmable Logistic Controllers (PLC’s) which are used to control industrial hardware like pumps and valves. These PLC’s also controlled the centrifuges in Iran and a man-in-the-middle attack allowed Stuxnet to alter the centrifuges without alarming the system. Making them break and leaving the operators clueless.
Next to the highly specific target, Stuxnet used over 20 zero day exploits in order to infect the PC’s connected to the PLC’s. This is a huge number, since these exploits are hard to find; they are vulnerabilities that are not yet known by the manufacturers of the software and therefor can do lots of damage (why do you think Windows updates so much…). Stuxnet also used several stolen certificates which let Windows to believe it was software to be trusted. Next to that it had the ability to spread itself through USB and LAN networks, so once in a facility it could expand to other systems without an Internet connection.
These examples indicate how large scale this operation was; it wasn’t just one hacker operating from his basement in downtown Rotterdam, it was probably state sponsored. A lot of clues point to the United States collaborating with Israel, since they had the best motive for this attack combined with the resources. For more on this debate read THIS interesting Wired article.
Sophisticated espionage toolkit (InformationWeek, 2012)
Another big game changer popped up this year and is dubbed Flame. This malware is not targeted destroying anything, instead it focuses on espionage. Its source code is even more complex (and large; over 20MB compared to 500KB of Stuxnet) than Stuxnet and acts as a complete espionage package. Once a system is infected, quite in the same way as with Stuxnet, it registers key strokes, monitors passwords, can take screenshots of what you are doing and it records your microphone or webcam without you noticing anything. Creepy huh? Check out this informative (but less nicely designed) movie about Flame.
It has also been confirmed that Stuxnet and Flame authors worked together on their code. So like I said, only the tip of the iceberg. For those interested in more state sponsored malware and acts of cyber warfare, I suggest you look for ‘Gauss’, ‘Duqu’ and ‘MiniFlame’. The problem here is we do not know how much of this malware is already running and finding the malware is also really difficult. Stuxnet was out in the wild for over a year, Flame for over 3 years, before even being discovered (read more about why this is so difficult from one of my favorite security experts, Mikko Hypponen in Wired). Next to that the malware seems to be modular (the authors must have taken some classes of Innovation Management), which means that different modules like exploits can be used across multiple types of malware, making it really easy to develop new forms of malware for specific purposes.
So, what’s next? What kind of malware is already out there and yet to be discovered? Recently Dutch minister Ivo Opstelten proposed the Netherlands should also start hacking proactively, something other states seem to be doing for years. Are we too late? Makes me wonder where this cyber war will end… TBD I guess.
Like this? Follow me on Twitter!